modifed win_susp_msoffice.yml

2024-11-08 02:08:54 +00:00 · 2019-10-26 07:55:44 +02:00 · 2019-10-26 07:55:44 +02:00 · bea2daac45
commit bea2daac45
parent fc7f8ecea3
1 changed files with 2 additions and 1 deletions
--- a/rules/windows/process_creation/win_susp_msoffice.yml
+++ b/rules/windows/process_creation/win_susp_msoffice.yml
@ -19,7 +19,8 @@ detection:
    Image: 
      - '*\powerpnt.exe'
      - '*\winword.exe'
-    CommandLine: '* "http*'
+      - '*\excel.exe'
+    CommandLine: '* http*'
  condition: selection
 level: medium
 falsepositives: